m 
o 



3 



Composable security of delegated quantum 
computation 

Vedran Dunjko* 1,2 , Joseph F. Fitzsimons^ 3 , Christopher 
Portmanri'!' 4 ' 5 , and Renato Renner^ 4 

1 School of Informatics, University of Edinburgh, Edinburgh EH8 9AB, U.K. 
2 Division of Molecular Biology, Ruder Boskovic Institute, Bijenicka cesta 54, P.P. 



180, 10002 Zagreb, Croatia 

£h ' 3 Centre for Quantum Technologies, National University of Singapore, Block S15, 3 

Science Drive 2, Singapore 117543 
4 Institute for Theoretical Physics, ETH Zurich, 8093 Zurich, Switzerland. 
Group of Applied Physics, University of Geneva, 1211 Geneva, Switzerland. 



' C-T 1 January 17, 2013 

, Abstract 



Delegating difficult computations to remote large computation facili- 
ties, with appropriate security guarantees, is a possible solution for the 
ever-growing needs of personal computing power. For delegated computa- 
tion protocols to be usable in a larger context — or simply to securely run 
^ . two protocols in parallel — the security definitions need to be composable. 

04 ' Here, we define composable security for delegated quantum computation, 

and prove that several known protocols are composable, including Broad- 
bent, Fitzsimons and Kashefi's Universal Blind Quantum Computation 
protocol. 



o 

1 Introduction 

1.1 Background 

, It is unknown in what form quantum computers |Deu85[|Fey82| will be built. 

One possibility is that large quantum servers may take a role similar to that 
occupied by massive superclusters today. They would be available as important 
components in large information processing clouds, remotely accessed by clients 
using their home-based simple devices. Since the quantum servers would be 
accessed "online" and remotely, the issue of the security and the privacy of the 
computation becomes paramount. 

Childs jChi05j proposed the first such delegated quantum computation (DQC), 
which hides the computation from the server, i.e., the computation is blind. This 



* vdunj ko@in f". ed. ac .iik| 
i j oe . f itzsimonsSnus . edu . sg 
1 chportmaSphys . ethz . ch 
- r ennerSphy s . ethz . ch 



1 



was followed by many ot hers [A^[IBFK09llAF3ET0llMDKllUMF12j . In partic- 
ular, Arrighi and Salvail [AS06] introduced a notion of verifiability — checking 
that the server does what is expected — but only for a restricted class of public 
functions, and Broadbent, Fitzsimons and Kashcfi [BFK09 , whose protocol is 
both universal and blind, require particularly little quantum processing from 
the client. 

However, these works all use stand-alone security definitions, i.e., none of 
them consider the compos ability of the protocol. This means that, even though 
they prove that the server cannot — from the information leaked during a single 
execution of the protocol in an isolated environment — learn the computation 
or produce a wrong output without being detected, they do not guarantee any 
kind of security in any realistic setting. In particular, if a server treats two re- 
quests simultaneously or if the delegated computation is used as part of a larger 
protocol (such as the quantum quantum coins of Mosca and Stebila |MS10j ). 
previous works do not provide any proof of security. 

To illustrate how too weak security notions can create a problem in a larger 
context, consider the task of computing a witness for a positive instance of an NP 
problem, and the (somewhat absurd) protocol in which the server simply picks 
a witness at random and sends it to the client. The protocol obviously does not 
leak any information about the input, since no information is sent from the client 
to the server. The client can also verify that the solution received is correct, and 
never accepts a wrong answer. But if the server ever learns whether the witness 
was accepted, he learns something about the input problem — if there are only 
two choices for the input with distinct witnesses, he learns exactly which one 
was used. These intuitive security notions are insufficient, and we have to take 
great care what security definitions are used. 

What is more, problems are known which have stand-alone solutions, but 
for which no protocol which is composable exists. Coin expansion, in which two 
mutually distrustful players want to generate n random coin flips given m < n 
perfect coin flips, is such an example HMQU06 . Even though there exists 
a protocol which achieves this when run once, two parallel executions of the 
protocol allow a dishonest player to generated correlated coin flips. 

1.2 Scope and security of DQC 

A common feature of all DQC protocols is that the client, while not being 
capable of full-blown quantum computation, has access to limited quantum- 
enriched technology, which she needs to interact with the server. 

One of the key points upon which the different DQC protocols vary, is the 
complexity and the technical feasibility of the aforementioned quantum-enriched 
technology. In particular, in the proposal of Childs |Chi05j . the client has quan- 
tum memory, and the capacity to preform local Pauli operations. In the protocol 
of Arrighi and Salvail |AS06j the client can generate relatively involved superpo- 
sitions of multi-qubit states, and can perform a family of multi-qubit measure- 
ments. Aharonov, Ben-Or and Eban 1ABE10I . for the purposes of studying the 
so-called quantum prover interactive proof systems, considered a secure DQC 
protocol in which the client has a constant-sized quantum computer. The blind 
DQC protocol proposed by Broadbent, Fitzsimons and Kashefi |BFK09| has ar- 
guably the lowest requirements on the client. In particular, it does not require 



2 



any quantum memory for the client, and all that is required is that she can 
prepare single qubits in separable states randomly chosen from a small finite set, 
analogous to the difficulty of generating BB84 states. Alternatively, Morimae 
and Fujii [MF12] propose a DQC protocol in which the client only needs to 
measure the qubits she receives from the server to perform the computation. 

A second important distinction between these protocols is in the types of 
problems the protocol empowers the client to solve. The protocols in [Chi05 , 
ABE10, BFK09, MF12 allow a client to preform universal quantum computa- 
tion, whereas in |AS06j the client is restricted to the the evaluation of random- 
verifiabl^l functions, efficiently solvable on a quantum computer. 

Finally, an important characteristic of these protocols is the flavor of se- 
curity guaranteed to the client. Here, one is predominantly interested in two 
distinct features: privacy of computation (generally referred to as blindness) 
and verifiability of computation. Blindness characterizes the degree to which 
the computational input and output, and the computation itself, remain hid- 
den from the server, whereas verifiability ensures that the client has means 
of confirming that the final output of the computation is correct. The proto- 
cols in [Chi051lAT3ETllBFK091|]VIFT2] offer perfect stand-alone blindness for the 
client. In the proposal in |AS06j . provided the protocol did not abort, a measure 
of mutual information between the client's input and the system of the server 
can be made arbitrarily small by tuning the protocol parameters. Concerning 
verifiability, the protocols in |AS0 6, ABElO] and a modified variant of |BFK09j 
proposed by Fitzsimons and Kashefi |FK12j offer mechanisms which allow the 
client to test whether the computation itself has been performed correctly. 

The prospects of delegated quantum computation with suitable security 
properties go beyond the purpose of solving computational problems for clients. 
In [ABE! 0i lAV12j verifiable quantum computation has been linked to quantum 
complexity theory, and to the fundamental problem of the feasibility of falsi- 
fying quantum mechanics which arises whenever larger quantum systems are 
considered |Vaz07j . On the other hand, the privacy properties of a secure DQC 
have been exploited in |MS10| . where DQC is suggested as a component of the 
verification step of unforgcablc quantum coins. 

1.3 Composable security 

Thc first frameworks for defining composable security were proposed indepen- 
dently by Canetti |Can01ICan05j and by Backes, Pfitzmann and Waidner [PW00 ( 
BPW04 , who dubbed them Universally Composable (UC) security and Reactive 
Simulatability, respectively. These security notions have been extended to the 
quantum setting by Ben-Or and Mayers [BOM04 and Unruh |Unr041IUnrl0j . 

More recently, Maurer and Renner proposed a new composable framework, 
Abstract Cryptography (AC) |MRll[|Maullj . Unlike its predecessor that use a 
bottom-up approach to defining models of computation, algorithms, complexity, 

1 This holds in the case of classical input and output. If quantum inputs and/or outputs 
are required, then the client has to be able to apply a quantum one-time pad to the input 
state, and also decrypt a quantum one-time pad of the output state. 

2 Roughly speaking, a function / is random- verifiable if pairs of instances and solutions 
(x, f(x)) can be generated efficiently classically, where x is sampled according to the uniform 
distribution from the function's domain. It is believed that not all functions efficiently solvable 
on a quantum computer are random-verifiable. 



3 



efficiency, and then security of cryptographic schemes, the AC approach is top- 
down and axiomatic, where iower abstraction levels inherit the definitions and 
theorems (e.g., a composition theorem) from the higher level, but the definition 
or concretization of low levels is not required for proving theorems at the higher 
levels. In particular, it is not hard-coded in the security notions of AC whether 
the underlying computation model is classical or quantum, and this framework 
can be used equally for both. 

Even though these frameworks differ considerably in their approach, they all 
share the common notion that composablc security is defined by the distance 
between the real world setting, and an ideal setting in which the cryptographic 
task is accomplished in some perfect way. We use AC in this work, because 
it simplifies the security definitions by removing many notions which aren't 
necessary at that level of abstraction. But the same results could have been 
proven using another framework, e.g., a quantum version of UC security |UnrlOj . 

1.4 New results 

In this paper, we define composablc security of delegated quantum computing, 
using the aforementioned AC framework |MRll[|Maullj . We model DQC in a 
generic way, which is independent of the computing requirements or universality 
of the protocol, and then define composablc blindness and composablc verifia- 
bility for this model. The security definitions are thus applicable to any DQC 
protocol fitting in our model. 

We then analyze existing protocols using the composable security definitions. 
We first show that both the DQC protocol of Broadbent, Fitzsimons and Kashcfi 
[BFK09j and that of Morimae and Fujii |MF12j provide perfect composable 
blindness. 

Next, we study the relations between stand-alone security and composable 
security of DQC in a generic way. We show that by strengthening the notion 
of stand-alone vcrifiability, we can close the gap between stand-alone and com- 
posable security of DQC. More concretely, we show that any protocol satisfying 
two simple definitions, stand-alone blindness and what we dub stand-alone inde- 
pendent verifiability, are always composable. This implies that the protocol of 
Fitzsimons and Kashefi |FK12| provides composable blindness and verifiability. 

1.5 Related work 

The blind DQC of [BFK09 has recently been getting considerable attention in 
both the experimental and theoretical scientific community. Due to the rela- 
tively modest requirements on the client, a small-scale experimental realization 
of the protocol has already been demonstrated [BKB+12] , Various theoretical 
modifications of this protocol have been proposed. For instance the settings 
where the client does only measurements |MF12j . where the client uses weak 
coherent pulses |DKL12| . or the server uses different types of computational 
resource states |MDKll] have been studied. Recently, a variant for continuous- 
variable quantum computation has been proposed as well |Morl2| . 

It is worth mentioning that the questions of secure delegated computation 
have initially been addressed in the context of classical client-server scenarios. 
Abadi, Feigenbaum and Killian |AFK87| considered the problem of "computing 



4 



with encrypted data" , where for a function /, an instance x can be efficiently en- 
crypted into z = Ek(x) in such a way that the client can recover f{x) efficiently 
from k and f(z) computed by the server. There they showed that no NP-hard 
function can be computed while maintaining unconditional privacy, unless the 
polynomial hierarchy collapses at the third level |AFK87j . The problem of se- 
curely delegating difficult and time-consuming computations was also studied in 
the framework of (computationally secure) public-key cryptography, essentially 
from its very beginnings [RAD 78 j. Even in this setting, this problem known as 
fully homomorphic encryption, remained open for 30 years [Gen09j . 

1.6 Structure of this paper 

In ISection 2l we introduce the AC framework that we use to model security. In 
ISection 3l we introduce delegated quantum computation, and model composable 
security for such protocols. In ISection 41 we prove that some existing protocols 
are composably blind. In particular, we show that the Broadbcnt, Kashefi, 
Fitzsimons blind DQC protocol |BFK09j is composably blind. In ISection 5l we 
show that composable vcrifiability is equivalent to the distance between the real 
protocol and some ideal map that simultaneously provides both (stand-alone) 
blindness and verifiability. This map is however still more elaborate than exist- 
ing stand-alone definitions. In lScction 6l we break it down into individual notions 
of blindness and independent verifiability, and prove that these are sufficient to 
achieve composable security. 

2 Abstract cryptography 
2.1 Overview 

To model security we use the constructive cryptography paradigm [Maullj : we 
view a cryptographic protocol as constructing some resource S out of other 
resources 31. For example, a one-time pad constructs a secure channel out 
of a secret key and an authentic channel; a quantum key distribution protocol 
constructs a shared secret key out of a classical authentic channel and an insecure 
quantum channel. If some protocol tt constructs § out of 3? with error e, we 
write 

ft ^>S. (I) 

This model fits in Maurer and Renner's |MRllj Abstract Cryptography 
framework. Instead of the traditional bottom-up approach of first defining (at a 
low level) a computational model (e.g., a Turing machine or a circuit), based on 
which the concept of an algorithm for the model and a communication model 
(e.g., based on tapes) are defined, after which notions of complexity, efficiency, 
and finally the security of a cryptosystem can be defined, the AC framework 
uses a top-down approach: in order to state definitions and develop a theory, one 
starts from the other end, the highest possible level of abstraction, and proceeds 
downwards, introducing in each new lower level only the minimal necessary spe- 
cialization's Since the AC framework defines security in a composable way, 

3 It is important to point out that theorems proven at a certain (high) level of abstraction are 
completely precise (as they are mathematical theorems). This is true without instantiations 
of the lower levels, which is exactly the point of abstraction. 



5 



this is inherited by protocols satisfying Eq. Intuitively, the resource 51 

along with the protocol tt are part of the real world, and the resource § is some 
ideal abstraction of the resource we want to build. Eq. (1) is satisfied if one 



can argue that an adversary could, in an ideal world where the ideal resource is 
available, achieve anything that he could achieve in the real world. This argu- 
ment involves, as a thought experiment, a simulator system which transforms 
the ideal resource into the real world system consisting of the real resource and 
the protocol. 



2.2 Resources, converters and distinguishes 

Depending on what model of computing is instantiated at a lower level, a re- 
source can be modeled as random system in the classical case (Mau02 , M PR07j , 
or, if the underlying system is quantum, as a sequence of CPTP maps with 
internal memory (e.g., quantum combs [CDP09| ). However, in order to define 
the security of a protocol, it is not necessary to go down to this level of detail, 
a resource can be modeled in more abstract termto. A resource is an (abstract) 
system with interfaces specified by a set I (e.g., 1 = {A, B, E}). Each interface 
i G T is accessible to a user i and provides him or her with certain functionalities. 
Furthermore, a dishonest user might have access to more functionalities than an 
honest one, and these should be clearly marked as such (e.g., a filter covers these 
functionalities, and a dishonest user removes the filter to access them). We call 
these guaranteed and filtered functionalities. For example, a key distribution 
resource has no guaranteed functionalities at Eve's interface, but provides her 
with the filtered functionality of preventing a key being generated. Alice's inter- 
face guarantees that she either gets a secret key or an error, but it also provides 
her with the filtered functionality of choosing what key is generated. 

A protocol tt = {TTi}i£T is a set of converters 7T,, indexed by the set of 
interfaces X. A converter can be modeled mathematically as a special case of a 
resource with only two interfaces, an outside interface and an inside interface. 
The outside interface is connected to the outside world, it receives the inputs 
and produces the outputs. The inside interface is connected to the resources 
used. For example, let tt be a one-time pad protocol, and tta be Alice's part 
of the protocol: tta is connected at the inner interface to a resource generating 
a secret key and to an authentic channel (for this example, we assume that 
neither the ideal key nor the authentic channel produce an error, they both 
always generate a key and deliver the message, respectively), both of which we 
combine together as the resource 31. At the outer interface it receives some 
message x, it gets a key k from the key resource, and sends x © k down the 
authentic channel. Bob's part of the protocol ttb receives y from the authentic 
channel and k from the key resource at its inner interface, and outputs y © k at 

4 Concretely, for the model to be composable, we need the following conditions fulfilled: 
R ^ S and S 7 3? " W+S ') 7 

% 1£> S and $ I^U S' => %\\3<! ^'< E+E ', S ||S' 

where R\\R! is a parallel composition of resources, and tt' o tt and tt\tt' are sequential and 
parallel composition of protocols. This has been proven on a higher level of abstraction 
in |MR11I and on this level for the special case of Alice-Bob- Eve protocols in IMaulll . 

5 In particular, on this level of abstraction it is not relevant whether the underlying system 
is classical or quantum. 



6 



the outer interface. Note that the protocol also specifies an honest behavior for 
Eve, 7Te, which consists in not listening to the communication channel, i.e., it is 
a converter with no functionalities at the outer interface and which blocks the 
leaks from the authentic channel at the inner interface. Converters connected 
to resources build new resources with the same interface set, and we write either 
7^ ft or Jiiti to denote the new resource with the converter m connected at the 
interface 

A distinguisher T> (for n-interface resources) is a system with n + 1 inter- 
faces, where n interfaces connect to the interfaces of a resource ft and the other 
(outside) interface outputs a bit. For a class of distinguishcrs D, this induces a 
pseudo-metric, the distinguishing advantage, 

d(ft,S) := maxPrfBft = 11- PrfDS = ll. 

where Dft is the binary random variable corresponding to D connected to 
If d(ft, S) < e, we say that the two resources are e-close and sometimes write 
ft « e S; or ft = S if e = 0. 

2.3 Security 



To show that a protocol 7r (securely) constructs § out of ft within e (Eq. (1)), 
we need to show that the concrete resource, obtained by combining the available 
resources ft and protocol w, is e-close to the ideal resource § (combined with 
some simulators to be defined a paragraph lower). In the case of the one-time 
pad, we wish to construct a secure channel §, which is defined as follows (for 
simplicity, we assume that Alice and Bob are always honest, and ignore their fil- 
tered functionalities) : § takes a message x at the A-interface, leaks the message 
length |ar| at the ^-interface, and outputs x at the B-intcrface. This resource 
captures the desired notion of a secure channel, because it only leaks the mes- 
sage size, and does not provide the adversary with any functionality to falsify 
the message. The message size leak at the £?-intcrface is a filtered functionality, 
which we model explicitly by defining a filter converter tpE which has no func- 
tionalities at the outer interface, and blocks this message size leak at the inner 
interface. In the general case, these filters can be defined for all interfaces, and 
we denote by ^ their set. 

The correctness of the protocol 7r is captured by measuring the distance be- 
tween 7rft, the combination of the entire honest protocol with the resources, and 
ipS, the ideal resource with all filtered functionalities obstructed. In the case of 
the one-time pad, we have d(ir a^ b^ eR, V'-eS) = 0, since the resources ttattb^e^- 
and ipE& both simply take a message x as input at the outside interface of tta 
and output the same message at the outside interface of ttb- Security of the pro- 
tocol in the case of a dishonest player i is achieved if, when the honest protocol 
TTi is removed from the concrete case on the left side, there exists a simulator 
converter cr^ that can be plugged in the i-interfacc of the ideal resource § and 



6 There is no mathematical difference between 7r;J? and Jliri. It sometimes simplifies the 
notation to have the converters for some players written on the right of the resource and the 
ones for other players on the left, instead of all on the same side, hence the two notations. 

7 In this work we study information-theoretic security, and therefore the only class of distin- 
guishcrs that we consider is the set of all distinguishcrs. In lScctioii 3.3.2l wc discuss further the 
distinguishing advantage and induced pseudo-metric for the special case of delegated quantum 
computation protocols. 



7 



which recreates all the communication necessary for the real and ideal worlds 
to be indistinguishable. In the case of the one-time pad and a dishonest Eve, 
the converter erg simply reads the message length at its inside interface, and 
outputs a random string y of the corresponding length at its outside interface. 
It is not hard to verify that with this simulator, d^A^B^-, o\e§) = 0, since the 
resources tta^b^- and crgS both take a message x at their ^4-intcrface, which 
they output at their _B-intcrface, and output a completely random string of the 
same length at their _E-interface. 

The generic security definition is as follows. 

Definition 2.1 (Sec [MRllllMaullj ). Let 9^ and S^, be resources with inter- 
faces I and filters <j> and ip- We say that a protocol it (securely) constructs 
out of within s, and write 31^ — ^> S^,, if there exist simulators a = {crjjigi 
such that, 

VP CI, d{-K V <j) V 'Ji,aT K vi>pS) < e. (2) 

This definition requires 2™ inequalities to be satisfied in a model with n play- 
ers, i.e., one for every possible subset of dishonest players. In practice however, 
if we are only interested in modeling security when a given set of players is 
known to always be honest, then it is sufficient to consider only the correspond- 
ing inequalities from Eq. (2) This is equivalent to giving those players arbitrary 
filtered functionalities, and reflects the fact that we do not place any restrictions 
on what these players might achieve, were they to be dishonest. 
Remark 2.2. Abstract cryptography (AC) differs from universal composability 
(UC) [Can051 IUnrl0j in many conceptual and mathematical ways. In particu- 
lar, the AC requirement that there exist distinct simulators at each interface 
instead of merging all dishonest players into one entity make it strictly more 
powerful than UC: this allows mutually distrustful dishonest players to be mod- 
eled as a feature of the ideal resource, and thus directly capture notions such as 
coercibility [MRllj . 

However, in the special case of one dishonest player, the corresponding 



Eq. (2) is equivalent to what one obtains by modeling the same problem with 



UC. Since the rest of this work deals with delegated quantum computation, a 
two party protocol with one dishonest player, exactly the same results could 
have been obtained using the UC framework. 



3 Delegated quantum computation 

In the (two-party) delegated quantum computation (DQC) model, Alice wants 
to ask a server, Bob, to execute some quantum computation for her. Intuitively, 
Alice plays the role of a client, and Bob the part of a computationally more 
powerful server. However, Alice has several security concerns. She wants the 
protocol to be blind, that is, she wants the server to execute the quantum 
computation without learning anything about the task he is computing other 
than what is unavoidable, e.g., an upper bound on its size, and possibly whether 
the output is classical or quantum. She may also want to know if the result sent 
to her by Bob is correct, which we refer to as vcrifiability. 

In lScction 3.1l wc briefly define the notation and some basic concepts that we 
uscjf|. In lScction 3.2l we model the ideal resource that a DQC protocol constructs 

8 For a more detailed introduction to quantum information theory we refer to NC00 WatOS . 



8 



and the structure of a generic DQC protocol. And finally, in lSection 3.3l we apply 
the generic AC security definition ^Definition 2.1[) to DQC, and introduce the 
appropriate distinguishing advantage. 

3.1 Notation and basic concepts 

H. always denotes a finite-dimensional Hilbcrt space. We denote by C(T~La,T-Lb) 
the set of linear operators from Ha to T-Lb, by C{H) the set of linear operators 
from H to itself, and by V(Ji) the subset of positive semi-definite operators. We 
define the set of normalized quantum states S(Ji) :={pe?(H) : tr p = 1} and 
the set of subnormalized quantum states S<(H) := {p G V(Ji) : trp < 1}. We 
write Wab = Ha <B> Hb for a bipartite quantum system and pab G S<(%ab) 
for a bipartite quantum state, pa = ^t:b{pab) and ps = tTA(pAB) denote the 
corresponding reduced density operators. 

The set of feasible maps between two systems A and B is the set of all com- 
pletely positive, trace-preserving (CPTP) maps £ : C(Ha) —> C{Hb)- By the 
Kraus representation, such a map can always be given by a set of linear operators 
{E k G £(H A ,H B )}k with J2k E l E k = 1a- We then have £(p) = Ek E kpEl 
We also consider trace non-increasing maps — in particular, to describe the evo- 
lution of a system conditioned on a specific measurement outcome — i.e., maps 
with operators Ek such that J2k E l Ek — ^-A- Though when unspecified, we 
always mean trace-preserving maps. For a quantum state p G S<(Hac) and a 
map £ : C(Ha) — > C(Hb), £(p) is shorthand for (£ (g) idc){p), where idc is the 
identity on system C. 

The trace distance between two states p and a is given by D(p,a) = ^ \\p — 
cr||tr, where || • || tr denotes the trace norm and is defined as ||A|| tr := tr \J A^A. 
If D(p, tr) < e, we say that the two states are e-close and often write p w e a. 
The trace distance has a physical interpretation as the distinguishing advantage 
between two normalized states p, a G S(H): the probability of a player correctly 
guessing which of the two he holds is \ + \D(p 1 a). In |Appcndix A| we define the 
generalized trace distance and the purified distance, which are more appropriate 
for subnormalized states. 

If a player is given one of two maps £,J r : £(71 a) — > C(Hb), and asked to 
guess which one he holds, he can generate a state par, apply the map to the 
A part, and try to distinguish between the resulting states £{par) and T(par)- 
This gives rise to the diamond norm, 

PIU := nn«{||($® id fl )(p)|| tr : p G S(U A r)}, 

and the corresponding distance o(£, F) = — -^Ho- Note that the maximum 
of the diamond norm can always be achieved for a system R with dim = 
dimJiA- Here too, we sometimes write £ « e T if two maps are e-close. 

Throughout this paper we mostly use the standard notation for common 
quantum gates, for instance X and Z denote the Pauli-A" and Pauli-Z op- 
erators. We will additionally often refer to the the parametrized phase gate 
Z g = |0)(0| + e ie |l)(l|, and the two-qubit controlled-^ gate ctrl-Z = |00)(00| + 
|01)(01| + |10)(10|-|11)(11|. 



9 



3.2 DQC model 



3.2.1 Ideal resource 

To model the security (and correctness) of a delegated quantum computation 
protocol, we need to model the ideal delegated computation resource § that we 
wish to build. We start with an ideal resource that provides blindness, and 
denote it § b . 

The task Alice wants to be executed is provided as an input to the resource 
S b at the A-interfacc. It has two parts, some quantum state ipA ± and a classical 
description $a 2 of some quantum operation that she wants to apply to ip, i.e., 
she wishes to compute $(?/>). This can alternatively be seen as applying a 
universal computation U to the input ^Ui ® \®)(® \a ■ We adopt this view in 
the remainder of this paper, and simply write tpA for Alice's input consisting of 
both the state and the description of the operation, and U(i(ja) for the desired 
outputjfl 

The ideal resource § b thus takes this input if) a at its A-intcrfacc, and, if Bob 
does not activate his filtered functionalities — which can be modeled by a bit 
&, set to by default, and which a simulator erg can flip to 1 to signify that 
it is activating the cheating interface — § b outputs U(i^a)- This ensures both 
correctness and universality (in the case where U is a universal computation). 
Alternatively, § & can be restricted to work for inputs corresponding to a certain 
class of computational problems, if we desire a construction only designed for 
such a class. 

At the B-interface, the ideal resource outputs all the "permitted leaks" that 
are intentionally made public by a protocol, e.g., the number of qubits and 
steps that Bob will need to perform the computation, and possibly whether the 
final result of the computation that Bob should deliver is a quantum state or a 
classical string. 

Bob also has another filtered functionality, one which allows him to tamper 
with the final output. The most general operation he could perform is to give a 
quantum state ips to § b along with the description of some map £ : L{Hab) 
£(Ha), and ask it to output £(i(jab) at Alice's interface. Since S b only captures 
blindness, but says nothing about Bob's ability to manipulate the final output, 
we define it to perform this operation and output any £{jPab) at Bob's request. 

Definition 3.1. The ideal DQC resource § b which provides both correctness 
and blindness takes an input tpA at Alice's interface, a filtered control bit b (set 
by default to 0), state tpB and map description \£)(£\ at Bob's interface. If b = 0, 
it outputs U(t/ja) at Alice's interface; otherwise it outputs the permitted leaks 
at Bob's interface, reads the inputs ipB and \£){£ |, and finally outputs £(iPab) 
at Alice's interface. 

A DQC protocol is verifiable, if it provides Alice with a mechanism to detect 
a cheating Bob, and output an error flag err instead of some incorrect computa- 
tion. This is modeled by weakening Bob's filtered functionality: an ideal DQC 

9 Note that in the following we do not explicitly require the computation U to be universal, 
the same model can be used for protocols implementing some specific computation. We do 
not enforce either that the input consist in a classical computation description and a quantum 
state to which it is applied, any quantum input i^a will do. Any protocol which requires the 
input to have a certain structure for correctness can embed this requirement in U, e.g., it first 
measures the parts of the input expected to be classical. 



10 



resource with verifiability, § v , only allows Bob to input one classical bit c, which 
specifies whether the output should be 14 (if; a) or some error state |err), which 
by construction is orthogonal to the space of valid outputs. The ideal resource 
thus never outputs a wrong computation. 

Definition 3.2. The ideal DQC resource § v which provides correctness, blind- 
ness and verifiability takes an input tf>A at Alice's interface, and two filtered 
control bits b (set by default to 0) and c. If b — 0, it simply outputs U[^>a) 
at Alice's interface. If b = 1, it outputs the permitted leaks at Bob's interface, 
then reads the bit c, and conditioned on its value, it cither outputs U(ip a) or 
|err) at Alice's interface. 



3.2.2 Concrete setting 

In the concrete setting, Alice's protocol it a receives ipA as an input on its outside 
interface. It then interacts with Bob's protocol 7Tb, and produces some final 
output pa- For the sake of generality we assume that the operations performed 
by it a and ttb, and the communication between them, are all quantum. Of 
course, a protocol is only useful if Alice has very few quantum operations to 
perform, and most of the communication is classical. However, to model security, 
it is more convenient to consider the most general case possible, so that it applies 
to all possible protocols. 

A cryptographic protocol can in general be modeled by a sequence of CPTP 
maps {Si : C{U AC ) -> C{U A c)}? =l and {F, : C{U C b) -> ^Hcb)}^ 1 , which 
Alice and Bob apply successively to their respective systems and the communi- 
cation channel C (which is initially in the state |0)). For example, in the first 
round Alice applies 8\ to the joint system AC, and sends C to Bob, who applies 
T\ to CB, and returns C to Alice. Then she applies £2, etc. In the last round 
Alice applies £n, and if both played honestly, she should hold the correct output 
U(ip) in her system A. 



3.3 Security of DQC 
3.3.1 Security notions 

If we represent the communication channel as the resource 3?, we have from 
IDcfinition 2.1l tha.t a DQC protocol tt constructs a blind quantum computation 
resource § b within e if there exists a simulator &b such thatF"!. 

ttaRttb ~e S b J_s and ttaR ~ e S b <7B, (3) 

where J_b is a filter which obstructs Bob's cheating interface. If a protocol 
fulfills the first condition in Eq. (3)| we say that it provides e-correctness, and if 



the second one is satisfied, we have s-blindnes$P\. If e = we say that we have 
perfect blindness. 



10 From now on, we write all the converters plugged in the A-interfaces on the left of the 
resources and those plugged in the _B-intcrfaccs on the right. 

11 A related concept of e-blindness, designed specially for the protocol of IBFK09| . was also 
introduced in IDKL12 I. There, e quantifies the distance between the original protocol, and a 
realization of the protocol where Alice's quantum devices are not perfect. Since we prove in 
IScction 1. ll that this protocol is blind with error e = 0, by the triangle inequality, a realization 
of a protocol which is e-blind w.r.t. the definition in IDKL12I is e-blind w.r.t. the definition 
introduced in this paper (but the converse does not hold). 



11 



Likewise in the case of verifiability, the ideal resource §" is constructed by it 
from 51 if there exists a simulator ob such that, 



IT A JllTl 



and 



(4) 



The first condition from Eq. (4) is identical to the first condition of Eg. (3)| and 
captures e-correctncss. Since this ideal resource provides both blindness and 
verifiability, we say that a protocol is e-secure if the second condition in Eq. (4) 
is satisfied. If e = we say that we have perfect security. 



3.3.2 Distinguishing advantage 

The resources ttaRitb and SJ-s both take a single input (at the A-interface) and 
produce a single output (also at the ^-interface) . They can thus be assimilated 
to individual CPTP maps, and the distinguishing advantage between the two 
is given by the diamond norm, defined in IScction 3.11 the best a distinguisher 
can do is prepare an initial state par, feed the A part to the resource, and 
measure the joint system of the output and reference system R to decide if it 
holds it a 317Tb or § v J-b- 

The case of the resources tta^ and Sag is more complex. 7r^3? can be 
seen as half of an interactive protocol, and described by a sequence of maps 
{£i : C(Hac) — > C(J-lAc)}f=i, as in its description in IScction 3.2.21 Since <jb 
is designed to make S<tb indistinguishable from the concrete setting, it will 
have the same structure, and also be represented by a sequence of maps of the 
same length and on the same Hilbcrt spaces. This type of resource has been 
called a quantum N-comb and thoroughly studied by Chiribella, D'Ariano and 
Perinotti |CDP09j . In particular, they give a concise representation of combs 
in terms of the Choi-Jamiolkowski isomorphism, and define the appropriate 
distance measure between combs, corresponding to the optimal distinguishing 
advantage. Here, we briefly explain this measure, and refer to jCDP09j for more 
details. 

If a distinguisher holds either itaR or S<tb, it can attempt to guess which one 
it is holding by generating an initial state p G S(Har) — which for convenience 
we define as a map on no input p := £>o() — and inputing the A part of the state 
into the resource. It receives some output pcr from the resource, can apply some 
arbitrary map T>\ : C{TIcr) ~* £(1~Lcr) to the state, and input the C part of the 
new state in the resource. Let it repeat this procedure with different maps T>i 
until the end of the protocol, after which it holds one of two states: 4>ar if it had 
access to 7r^3? and ifAR if it had access to Sob. The trace distance D((/)ar, <Par) 
defines the advantage the distinguisher has of correctly guessing whether it was 
interacting with ttaJI or Sctb, and by maximizing this over all possible initial 
inputs par = and all subsequent maps {T>i : C(Hcr) £(HcR.)}i, the 

distinguishing advantage between these resources becomes 

d{TT A %^ B ) = maxD(^)AR,<PAR)- (5) 



12 



4 Composable universal blind quantum compu- 
tation protocols 

We prove in this section that two different DQC protocols proposed in the lit- 
erature construct the ideal blind quantum computation resource S b defined in 



IDcfinition 3.11 To show this, we need to prove that both conditions from Eq. (3) 



are satisfied for e = 0. In |Appcndix B| we show that stand-alone correctness is 



is lm- 



equivalcnt to composable correctness, and thus the first part of Eq. (3) 
mediate from existing literature. In the following sections, wc prove that these 
protocols also provide perfect blindness. Note that they do not provide vcrifia- 
bility, we therefore cannot use the generic results from IScction "5l and IScction "6l 
to prove that they are blind. 

We start in lSection 4.1l with the DQC protocol of Broadbent, Fitzsimons and 
Kashefi |BFK09| , which we describe in detail in IScction 4.1.11 In this protocol, 
Alice hides the computation by encrypting it with a one-time pad; and the 
simulator we construct to prove its security is similar in spirit to the simulator 
needed to prove the security of the one-time pad. In IScction 4.1.21 we thus first 
sketch the security proof of the one-time pad, and in IScction 4.1.31 we prove 
that the DQC protocol of Broadbent, Fitzsimons and Kashefi provides perfect 
blindness. 

Morimae and Fujii |MF12| proposed a DQC protocol with one-way communi- 
cation from Bob to Alice, in which Alice simply measures each qubit she receives, 
one at a time. We show in IScction 4.21 that the general class of protocols with 
one-way communication is perfectly blind. 



4.1 DQC protocol of Broadbent, Fitzsimons and Kashefi 
4.1.1 The protocol 

This protocol BFK09 was originally called Universal Blind Quantum Compu- 
tation (UBQC), and in the following we use this name. For an overview of 
the UBQC protocol, we assume familiarity with measurement-based quantum 
computing, for more details see [RB01llDKP07j . Suppose Alice has in mind a 
unitary operator U that is implemented with a measurement pattern on a brick- 
work state Q n y.(m+i) ( |Figurc Tj ) with measurements given as multiples of 7r/4 in 
the (X, Y) plane with overall computation size S = nx(m+1). Note that mea- 
surement based quantum computation, where the measurements are restricted 
in the sense above is approximately universal, so there are no restrictions im- 
posed on U [BFK09] . 

This pattern could have been designed either directly in MBQC or generated 
from a circuit construction. Each qubit in Q nx (m+i) is indexed by a column 
y € {0, . . . , m} and row x £ {1, . . . , n} = [n]. Thus each qubit is assigned a 
measurement angle <f> x ,y, & set of X-dcpcndcncics D x y C [n] x {0, . . . ,y — 1} 
and a set of ^-dependencies D' x C [n] x {0, . . . , y — 1} . 

The dependency sets comprise subsets of the set of the two-coordinate indices. 
They reflect the fact that in measurement-based quantum computation, to en- 
sure a correct and deterministic computation, the measurement angles which 
define the computation may have to be modified for each qubit depending on 
some of the prior measurement outcomes. In particular, here we assume that the 
dependency sets D XtV and D' x are obtained via the flow construction |DK06] . 



13 




Figure 1 - The brickwork state, Q nX m, a universal resource state for 
measurement-based quantum computing requiring only single qubit measurement 
in the (X, Y) plane |BFK09| . Qubits \ip x ,y) (x = 1, . . . , n, y — 1, . . . , m) are ar- 
ranged according to layer x and row y, corresponding to the vertices in the above 
graph, and are originally in the |+) = t^(|0) + |1)) state. Controlled-Z gates 
are then performed between qubits which are joined by an edge. The rule deter- 
mining which qubits are joined by an edge is as follows: 1) Neighbouring qubits 
of the same row are joined; 2) For each column j = 3 mod 8 and each odd row 
i, the qubits at positions and (i + and also on positions + 2) and 

(i + 1, j + 2) are joined; 3) For each column j = 7 mod 8 and each even row 
i, the qubits at positions and (i + and also on positions + 2) and 

(i + 1, j + 2) are joined. The quantum input is usually placed in the leftmost 
column of the brickwork state, whereas the output is generated in the rightmost 
column by sequential single qubit measurements. The qubits are usually mea- 
sured from top to bottom per column, where the order of columns is from left to 
right. 



During the execution of the computation, the adapted measurement angle 
4>' x ,y i s computed from <f> x . y and the previous measurement outcomes in the fol- 
lowing way: let s xy = ®ieZ5 x y Si be the parity of all measurement outcomes for 
qubits in D xy and similarly, s xy ~ ®ieD' x y Si be the parity of all measurement 
outcomes for qubits in D' x (the index i here is a two coordinate index, an 
element of [n] x {0, . . . , m}). Then, 

&,» = (-l) a S*tfx,l/ + sf, V T- (6) 

Likewise, if the first column of the brickwork state is a one-time pad encryp- 
tion of the inpuiF^l. the measurement angles of the first two columns have to be 
updated to compensate for (bit) flips i x performed by the encryption, namely 

</4,o = (-!) 4x <Ai:,o and cf>' xl = (f> x ,i +i x ir. (7) 

Protocol [H implements a blind quantum computation for an input ipA = 
Pin ® |f )(f UJ- It was shown in [BFK09J that this protocol is correct, i.e., if 
both Alice and Bob follow the steps of the protocol then the final output state 

IS Pout = Up in W. 

12 In UBQC with a quantum input, the input is initially encoded with a variant of the 
quantum one-time pad by Alice, to preserve her privacy. The operators implementing the 
one-time pad that Alice applies to the input may include an arbitrary rotation within the 
XY plane of the Bloch sphere (a Zg rotation), and a Pauli-X operator. Because of the 
commutation relation (X <g> id)ctrl-Z = ctrl-Z(Jf (g) Z) between the Pauli-X operator and the 
controlled Z entangling operation, this component of the one-time pad must be accounted for 
in the measurement angles for the neighbours of the input layer, as in |Eq. (7)| 

13 The particular variant of the UBQC protocol we present assumes a quantum input and 
a quantum output, however the Protocol is easily modified to take classical inputs and/or 



14 



Protocol 1 Universal Blind Quantum Computation 



Alice's input: 

• An ?i— qubit unitary map U , represented as a sequence of measurement 
angles {4> x ,y\ of a one-way quantum computation over a brickwork state 
of the size ux(m+l), along with the X and Z dependency sets D x>y , D x , 
respectively. 

• An ri-qubit input state pi n 

Alice's output (for an honest Bob): 

• The n— qubit quantum state p ou t = Upi n U' 

The protocol 

1. Alice's preparation 

1.1. For each x <G [n], Alice applies X lx Z$ x to the x th qubit of the input 
Pin, where the binary values i x and the angles 6 x ,o S {^ 7T /^}'k = o 
are chosen uniformly at random for each x. This is equivalent to 
encrypting it with a quantum one-time pad. The result is sent to 
Bob. 

1.2. If i x = 1, Alice updates the measurement angles c/) Xj o and 4>x,i to 



compensate for the introduced bit flip (see Eq. (7) ). 
1.3. For each column y G [m— 1], and each row x € [n], Alice prepares the 
state |+e XiV ) := t^(|0) + e l6 *- y |1)), where the defining angle 9 x<y € 
{kn / 4} 7 k=0 is chosen uniformly at random, and sends the qubits to 
Bob. 

2. Bob's preparation 

2.1. Bob creates n qubits in the |+) state, which are used as the final 
output layer, and entangles the qubits received from Alice and this 
final layer by applying ctvl-Z operators between the pairs of qubits 
specified by the pattern of the brickwork state Q n x(m+i)- 

3. Interaction and measurement 

For y = 0, . . . , m — 1, repeat 
For x = 1, . . . , n, repeat 



3.1. Alice computes the updated measurement angle (j>' x y (see Eq. (6) ), to 
take previous measurement outcomes received from Bob into account. 

3.2. Alice chooses a binary digit r XtV € {0, 1} uniformly at random, and 
computes S x . y = 4>' x y + 6 XlV + nr x . y . 

3.3. Alice transmits S x ^ y to Bob, who performs a measurement in the basis 

{\+s x , y ), !-««,„)}• 

3.4. Bob transmits the result s XtV € {0, 1} to Alice. 

3.5. If r x ^ y = 1, Alice flips s XlV ; otherwise she does nothing. 

Output Correction 

4.1. Bob sends to Alice all qubits in the last (output) layer. 

4.2. Alice performs the final Pauli corrections {Z s * m X s *> m } x=1 on the 
received output qubits. 



15 



4.1.2 One-Time Pad proof sketch 

The basic idea behind the construction of the simulator required for the proof 
of composable security of the UBQC protocol is the same as in the case of a 
simpler protocol — the Quantum One-Time Pad (QOTP). The QOTP ensures 
confidentiality, but not authenticity, of the exchange of quantum messages over 
an untrusted quantum channel. 

The ideal confidentiality resource §, which we wish to construct, has three 
interfaces, A (Alice, the sender), B (Bob, the receiver) and E (Eve, the eaves- 
dropper). Alice inputs a message pa, Eve only learns the message size — though 
for simplicity, we assume that the message size is fixed, and do not model it ex- 
plicitly in the following — but can arbitrarily modify or replace the message. 
Similarly to the blind DQC ideal resource (jDcfinition 3.1|) . the eavesdropper's 
capacity to arbitrarily manipulate the message is captured ed by allowing some 
arbitrary state p B and a description of a map £ : C^Hae) — > C(%b) to be 
input at the i?-intcrface of the ideal resource, which then outputs £(pae) at the 
S-interface. 

The resources 3? available to the QOTP protocol (tta, ttb) are a shared secret 
key and an insecure quantum channel, which simply outputs at the E'-interface 
anything which Alice inputs, and forwards to the B-interface anything which 
Eve inputs, tta applies bit and phase flips (conditioned on the bits of the secret 
key) to Alice's input and sends the result down the insecure channel, and ttb 
decrypts by applying the same flips to whatever it receives. 

To prove that this protocol constructs the ideal confidentiality resource, we 
need to find a simulator oe that, when plugged into the E- interface of the ideal 
resource, emulates the communication on the insecure quantum channel and 
finds the appropriate inputs p B and £ that correspond to Eve's tampering, so 
that ideal and concrete cases are indistinguishable. In other words, we need to 
find a erg such that 

tta^b = Sob. (8) 

In the concrete setting, the distinguisher accessing itaRttb can choose an 
arbitrary input Par, a PPby an arbitrary map T> to the state on the quantum 
channel (output at the i?-interface) and its own system R, and put the result 
back on the quantum channel. After decryption by ttb , it ends up with the final 
state p b u r- This is depicted for one-qubit messages in |Figure~2j 

In the ideal setting, the simulator &e needs to simulate the quantum channel 
and provide the ideal resource § with information allowing it to generate the 
same output p B u R as in the concrete case. It does this by outputting half an 
EPR pair (for every qubit of message) at its outer interface, and transmitting 

produces classical outputs, see IBFK09| . In the classical input case, the quantum input is 
simply not sent, and the preparation of the classical input is assumed to be encoded in the 
computation itself. For the classical output, the server would simply measure out the final 
column of qubits as well, which produces in a one-time padded version of the computation 
result. The quantum input-output setting is more general than other variants, and the security 
of this variant implies the security of the classical input/output versions. Also, the quantum 
one-time pad of the input states used in this protocol could be replaced with a standard 
quantum one-time pad which uses only the local X and Z gates, instead of the X and the 
parametrized Zq gate, as presented here. In this case Bob would telcport the input state onto 
the brickwork state built out of the pre-rotated qubits, and the protocol would continue 
as we have presented (but taking into account the teleportation outcomes reported by Bob). 
However, for our purposes we adhere to this variant of the protocol as it is consistent with 
the original proposal in IBFK09I . and slightly simpler. 



16 



KB 



x x — z z 



z z — x x 



Par< 



V 



>pTb, 



Figure 2 - Interaction of the distinguisher and the QOTP. 



the other half along with any state it received at its outer interface to the ideal 
resource. It also provides the ideal resource with the "instructions" 8 to gate 
telcport the real input through the map T> of the distinguisher, i.e., it telcports 
the input using the EPR half, registers the possible bit and phase flips, and 
outputs the second state received after having corrected the bit and phase flips 
from the teleportation. This entire procedure is depicted for onc-qubit messages 
in |Figure 3| 



AR 



I 

,0\E 



L 



r 



1+) 



-e- 



V 



I I 



H 



X* 



>P°B U R 



Figure 3 - Interaction of the ideal confidentiality resource S and the simulator 
o e with the distinguisher. S does not leak any information to the adversary, it 
receives inputs from Alice (p'X) and the simulator, and transmits some state to 
Bob. (je — which does give information to the adversary — has no access to the 
confidential message p™. 



We now show that the circuits from |Figure 2] and [Figure 3] are identical, 



hence Eq. (8) holds. The argument generalizes straightforwardly to multiple 
qubit messages. We first rearrange |Figurc 3| by grouping the state preparation 
(performed by erg) and the actual teleportation (performed by §). This results 
in |Figure 4| 

The circuit in the dashed box of |Figurc~4| teleports the input from the first 
wire to the third wire (without correcting the random flips). This is equivalent 
to simply performing a random bit and phase flip on the input, which is exactly 
what is done by the QOTP in |Figure 2| 



4.1.3 Security 

In this section we prove that the UBQC protocol (Protocol [T]) provides perfect 
blindness. Similarly to the one-time pad proof sketch from IScction 4.1.21 we 
construct a simulator that emulates the communication during the protocol by 
sending only EPR pair halves and random strings, then transmits the other 
halves and the transcript to the ideal blind DQC resource. Whenever a one- 



17 



Par 



H 



—f — (& 

-e — 



z 

X 



V 



z z — X 



>Pbr 



Figure 4 - Reformulation of | Figure 3| by grouping the simulator and the tele- 
portation step of the ideal confidentiality resource. The circuit in the dashed box 
simply encrypts the input with a random bit and phase flip. 



time padded quantum state should have been sent, the ideal resource teleports 
it using the EPR half, and uses the bit and phase flips of the teleportation as 
one-time pad key. And whenever a random string r was sent instead of some 
one-time padded string s, the ideal resources sets r © s as the random key used 
to encrypt and send s. 

To prove that the real and ideal settings are identical, we replace steps of 
the protocol by equivalent steps, until we end up with the desired simulator and 
ideal resource. 

Protocol [1] does not explicitly model the information that is intentionally 
allowed to leak. This information consists in the size of the brickwork state 
(which leaks upper bounds on the input state size and computation size), and 
whether the last column of the brickwork state should be measured, i.e., whether 
the output of the protocol is classical or quantum. It is simply assumed that 
this information is known by the server (Bob), otherwise it could not perform 
the desired computation. For simplicity we also avoid modeling this information 
in the following. The protocol and proof can however be trivially changed to 
include it. 

Theorem 4.1. The DQC protocol described in Protocol]!] provides perfect blind- 
ness. 

Proof. To prove that tta'R = S^cts, we successively modify the protocol tta, 
replacing some steps with equivalent steps that implement the same map, re- 
sulting in several intermediary protocols, until we achieve a version which is 
equivalent to S b aB- 

The first intermediary protocol is given by Protocol [5J Compare Step 11.11 
of Protocol [T] and Step 11.11 of Protocol [2J In the former, Alice picks random 
values Q x fi and i x and performs corresponding phase and bit rotations on the 
x th input qubit. In the latter, she performs a random 0' x phase rotation, and 
teleports the resulting state. For teleportation outcomes i x and r x ,o, and setting 
&x.o '■= 0' x o + 7Tr x.o-, Bob holds exactly the same state. Since the different values 
of i x and 9 X fi occur with the same (uniform) probabilities in both protocols, 
these implement identical maps. 

Likewise, compare Step ll.3l of Protocol [1] and Step 11.31 of Protocol [21 In the 
former Alice sends a state \+e x „) to Bob; in the latter Bob ends up holding the 



18 



Protocol 2 UBQC, equivalent protocol for Alice, first version 



The protocol 

1. Alice's preparation 

1.1. For each x <S [n], Alice prepares an EPR pair (|00) + \ll))/y/2 and 
sends half to Bob. She picks an angle 9' x € {^ 7r /4}^ =0 uniformly 
at random, and applies Zgi g to the x th qubit of the input pi n . She 
then teleports the resulting qubit using her half of the EPR pair, 
and registers the values of the bit and phase flips resulting from the 
teleportation in i x and r X fi, respectively. 

1.2. If i x = 1, Alice updates the measurement angles <j) x ,o and (f> Xt i (see 



Eg. (7) l 



1.3. 



For each column y G [m — 1], and each row x G [n], Alice prepares 
an EPR pair (|00) + \ll))/y/2 and sends half to Bob. She then picks 
an angle 9' xy <G {k^/^} 7 k=0 uniformly at random, performs a Z q*^ 
rotation followed by a Hadamard H on her half of the pair, and 
measures it in the computational basis. She stores the result in 



Interaction and measurement 

For y = 0, . . . , m — 1, repeat 
For x = 1, . . . , n, repeat 



2.1. Alice computes the updated measurement angle cj>' x y 

2.2. Alice computes 6 XtV = <j>' x y + 9' x y and transmits this to Bob 

2.3. Alice receives a bit s XtV e {0, 1} from Bob. 



sec Eq. (6) ) 



2.4. Ifr, 



1, Alice flips s XtV ; otherwise she does nothing. 



3. Output Correction 

3.1. Alice receives n qubits from Bob, and performs the final Pauli cor- 
rections {Z s "- m X s ' c ' m } x=1 on these qubits. 



state ). If Alice sets 9 Xt o := 9 X + Trr X fi in her internal memory, all 

states of the systems are identical for both protocols. 

Finally, the only other difference between these protocols is in Steps 13.21 and 
12.21 of the two protocols, respectively. In the former, Alice sends Bob the angle 
0'x o + ®x,o + ^fx.o, for some randomly picked bit r x ^; in the latter, she sends 
4>' x Q + 6' x . But as we've already established, these two angles are identical, and 
occur with the same (uniform) probabilities. 

Now, compare Protocol [H and Protocol El The main difference is between 
Stcp l2.2l of Protocol[2]and Stcp l2.2l of Protocoll3l In the former, Alice had picked 
6' x y uniformly at random, and sends Bob S x<y , a one-time padded version of cf>' x y 
with 6' x as the key; hence 5 XtV is uniformly distributed. In the latter protocol, 
Alice instead picks 5 XjV uniformly at random (in Step |2.2| ). then computes 9 X := 
S X , V — 4>' xy (in Step l2.4[) to get the value of the uniform key used to encrypt 4>' xy . 

In Protocol [2j Alice used the value of 9' x in Steps 11.11 and 11.31 Since 
9' x is not available at those stages of Protocol 02 the corresponding steps are 
delayed until this value is available. Hence Step 11.11 of Protocol [3] only consists 
in performing the first part of the teleportation (which commutes with the Zq< 



19 



Protocol 3 UBQC, equivalent protocol for Alice, second version 



The protocol 

1. Alice's preparation 

1.1. For each x <S [n], Alice prepares an EPR pair (|00) + \ll))/y/2 and 
sends half to Bob. She performs the first measurement of a teleporta- 
tion that determines the bit flip, i.e., for each x she performs a CNOT 
on the corresponding EPR half using the input qubit as control, and 
measures the EPR half in the computational basis. She records the 
outcome in i x . 

If i x — 1, Alice updates the measurement angles <fi Xt o and q 



1.2. 



sec 



Eq- (7) I 



For each column y 6 [m 
an EPR pair (|00) + |11 



1.3. 



Interaction and measurement 

For y = 0, . . . , m — 1, repeat 
For x = 1, . . . , n, repeat 



1], and each row x € [n], Alice prepares 
2 and sends half to Bob. 



2.1. 
2.2. 

2.3. 
2.4. 



Alice computes the updated measurement angle 4>' xy (see Eq. (6)). 
Alice picks an angle 5 x>y £ {^ 7r /4}^ =0 uniformly at random, and 
sends it to Bob. 

Alice receives a bit s x>y <G {0, 1} from Bob. 

Alice computes 9' x y = S x _ y — qS' x y . She then applies Zg^ , followed 
by a Hadamard H and a measurement in the computational basis to 
the x th qubit of the input pi n if y = 0, and to the corresponding EPR 
half if y > 0. She stores the result in r x ,y 



2.5. Ifn, 



1, Alice flips s x>y ; otherwise she does nothing. 



Output Correction 

3.1. Alice receives n qubits from Bob, and performs the final Pauli cor- 
rections {Z Sx > m X s "' m }^ =1 on these qubits. 



rotation) and in Step II .31 Alice only sends half an EPR pair. In Step 12.41 after 
computing 8 X y , Alice completes those two steps by performing the missing 
operations. 

Protocol 2] consists in exactly the same steps as Protocol [H but their order 
has been rearranged, and the different parts have been renamed "simulator" 
and "ideal resource". The ideal blind DQC resource constructed meets the 
requirements of lDcfinition 3.ll we have tta^- = S^cs and conclude the proof. □ 

4.2 One-way communication 

If a protocol only requires one-way communication from Bob to Alice, the pro- 
tocol model described in lScction 3.2.21 can be simplified: it only consists in two 
operations. Bob generates a state t, which he sends to Alice on the channel C. 
She then applies some operation E : C(Hac) ^ £(Ha) to her input and r, and 
outputs the contents of her system A. 



20 



Protocol 4 UBQC, simulator and ideal resource 



The simulator 

1. For each column y € {0,...,m — 1}, and each row x € [n], the simula- 
tor prepares an EPR pair (|00) + \11))/V2 and outputs half at its outer 
interface. 

2. For each column y € {0, . . . , m — 1}, and each row x € [n], the simulator 
picks an angle 6 x>y G {kir / 4}' k=0 uniformly at random, and outputs it at 
its outer interface. It receives some response s x<y £ {0, 1}. 

3. The simulator receives n qubits, which correspond to the last (output) 
layer. 

4. The simulator transmits all EPR pair half, all angles 5 XjV , bits s Xj y and 
output qubits to the ideal blind delegated quantum computation resource, 
along with instructions to perform the operations described hereafter. 

The ideal blind DQC resource 

1. The blind DQC resource receives the input pi„ and a description of the 
computation given by angles <j) Xty at its ^-interface, and all the information 
described in Step @] above at its B-interface. 

2. For each x €E [n], it performs the first measurement of a telcportation of 
the input, i.e., for each x it performs a CNOT on the corresponding EPR 
half using the input qubit as control, and measures the EPR half in the 
computational basis. It records the outcome in i x . 



3. If i x = 1, it updates the measurement angles 4>x,o and 4>x,i (see Eq. (7)). 

4. For y = 0, . . . , m — 1, repeat 

For x = 1, . . . , n, repeat 



4.1. It computes the updated measurement angle <p' x (see Eq. (6) ). 

4.2. It computes 9' x y = S x . y — 4>' x y . It then applies Zg^ , followed by a 
Hadamard H and a measurement in the computational basis to the 
x th qubit of the input pi n if y = 0, and to the corresponding EPR 
half if y > 0. It stores the result in r x>y . 

4.3. If r x _ y = 1, it flips s Xty ; otherwise it does nothing. 

The ideal blind DQC resource performs the final Pauli corrections 
{Z Sa: . m X s ^' m }" =1 on the received output qubits, and outputs the result at 
its A-interface. 



21 



Theorem 4.2. Any DQC protocol n with one-way communication from Bob to 
Alice provides perfect blindness. 

Proof. The simulator ob works as follows. It receives some state tpc from the 
distinguisher, and provides it to the abstraction § b along with a description of 
the map £ that is used by tta- Alice's output is thus £(ipAc): an d we immediately 
have d(TTAR, Sub) = 0. □ 

This proof does not mention the permitted leaks at the B-interface. This is 
because protocols with one-way communication make the (implicit) assumption 
that this information is known to the server. Alternatively, one could include 
a single message from Alice to Bob containing this information, and adapt the 
proof above accordingly. 



5 Composable verifiability 

Finding a simulator to prove the composability of a protocol can be challenging. 
In this section we reduce the task of proving that a DQC protocol provides 
composable security (blindness and verifiability) to proving that the map imple- 
mented by the protocol is close to some ideal map that intuitively provides both 
(stand-alone) blindness and verifiability. The converse also holds: any protocol 
which provides composable security must be close to this ideal map. 

A malicious server Bob will not apply the CPTP maps assigned to him by 
the protocol, but his own set of cheating maps {Fi : C(Hcb) — > CCHcb)} 1 ^ 1 ■ 
A protocol provides stand-alone blindnes^f] if the final state held by Bob could 
have been generated by a local map on his system — say, T — independently 
from Alice's input, but which naturally depends on his behavior given by the 
maps It provides stand-alone verifiabilit-yP^l if the final state held by 

Alice is either the correct outcome or some error flag. Combining the two gives 
an ideal map of the from U <g> J-" ok + £ rr <g> J rorr , where J- ok and J 70 " break J 7 down 
in two maps which produce the correct outcome and an error, respectively. 

Definition 5.1 (Stand-alone blind verifiability). We say that a DQC protocol 
provides stand-alone e-blind verifiability, if, for all adversarial behaviors 
there exist two completely positive, trace non-increasing maps J- B k and .F^ rr , 
such that 

Vab ~ £ U A ®T B k + £J (9) 

where Vab ■ £{T~Lab) — > ^{"Hab) is the map corresponding to a protocol run 
with Alice behaving honestly and Bob using his cheating operations and 
£" discards the A system and produces an error flag |err)(err| orthogonal to all 
possible valid outputs. 

Remark 5.2. Similarly to the protocol descriptions from lSection 41 this definition 
assumes the allowed leaks (e.g., input size, computation size) to be fixed, and 
applies to all protocols Vab tailored for inputs with an identical leak (e.g., 
identical size). These leaks could be explicitly modeled by allowing the maps 
J- B k and Tg™ to depend on them. 

We now prove that IDefinition 5.11 is equivalent to composable security. 

14 We provide formal definitions of stand-alone blindness and verifiability in lSection 6.11 



22 



Theorem 5.3. Any protocol which provides stand-alone e-blind verifiability is 
2e-secure. And any protocol which is e-secure provides stand-alone e-blind veri- 
fiability. 

Proof. We start by showing that blind verifiability implies composablc security. 
To do this, we define the simulator as to work as follows. It sets the bit b = 1, 
receives the permitted leaks from § v , picks an input ips compatible with this 
information, and runs the protocol tta on this input. After the last step, it 
projects the state it holds in B on |err)(err| and I — |err)(err|, and sends c = to 
§ v if no error was detected, otherwise it sends c = 1. As defined in lDefinition 3.21 
S" then either outputs the correct result or an error depending on the value of 
c. 

As described in IScction 3.3.21 the most general operation the distinguishcr 
can perform to distinguish between the resources tta$- and S v o~b, is to choose 
some initial state ipAR, send ipA to the system with which it is interacting, 
apply some operations {Fi : £(Hcr) ^("Hcfi)}^ 1 each time it receives 
some message on the channel C, and return each time the new state in C. 

Let p\ R be the final state when the distinguisher is interacting with tta'R- 



By Eq. (9) (with B renamed R), this state is e-close to 



r% R = (U ® T ok ) {i> AR ) + |crr)(crr| <g> F m ^ R ), 

for some J-" ok and F m which depend only on {J~i}i, not on ip A R- 

When the distinguisher is interacting with Sctb and using the same opera- 
tions and initial state Vari let ^arb be the state of the system at the 



end of the subroutine tta and before sending the bit c to Then, using Eq. (9) 
(with B renamed R, A renamed B, and a new extension A), we find that ^a RB 
is e-close to 



7 arb = ( id A ®F° k <8> U) (VUfl ® $b) + (icU <&F™) fokm) ® |err)( 



err 



The final operation performed by S" to generate the output can be seen as a 
map S, which conditioned on B being an error, deletes B and overwrites A with 
an error, and conditioned on B being a valid output, deletes B and applies Li to 
the system A. Since a map can only decrease the distance between two states, 
the final state of the system after this operation, <j>AR '■= ^( < Parb)' ^ s £- c l° se to 
S(ja RB ) = ^~ar ■ By the triangle inequality we thus have p\ R «2e 4>^ar- 

We now prove the converse. If the protocol is e-secure, there exists a simula- 
tor o~b such that tta^ ~ e So\b- A distinguisher interacting with one of the two 
systems chooses an initial state ipAR-, and applies operations T\ : C(1-Lcr) ~^ 
£>(?Hcr) to the messages received on the channel C and the system R. 

Consider now the interaction of the simulator and the distinguishcr. Since 
the simulator deletes its internal memory when it terminates, and outputs only a 
single bit c notifying the ideal resource to output the correct result or an error, 
the combined action of the two can be seen as a CPTP map T : C(Hr) — s- 
{0,1} x C(Hr). Conditioning on the output {0,1}, we explicitly define two 
trace non-increasing maps F^.F " : C^Hr) — > C(Hr). 

Since the ideal blind and verifiable DQC resource outputs the correct result 
upon receiving 0, and an error otherwise, the joint map of ideal resource, sim- 
ulator and distinguisher is given by U ® J rok + £" <£> J 70 ". And this map must 
be e-close to the real map, otherwise the distinguisher would have an advantage 
greater than e. □ 



23 



6 Stand-alone definitions 



Although the notion of blind verifiability defined in the previous section captures 
composablc security in a simple way, it is still more elaborate than existing def- 
initions found in the literature, that treat blindness and verifiability separately. 

In IScction 6.11 we provide definitions for these separate notions of blindness 
and verifiability, and strengthen the latter by requiring the test of correctness to 
be independent from the input. In IScction 6.21 we show that in the case where 
the server Bob does not hold an entanglement of the input (e.g., when the input 
is classical), these notions are sufficient to obtain stand-alone blind verifiability 
(and hence composable security) with a similar error parameter. In the case 
where Bob's system is entangled to Alice's input, we show that the same holds, 
albeit with an error increased by a factor (dim'Hyi) 2 . 

This implies that the protocol of Fitzsimons and Kashefi |FK12j . which 
satisfies these individual stand-alone definitions, provides composable security. 

6.1 Blindness and independent verifiability 

Stand-alone blindness can be seen as a simplification of blind verifiability, in 
which we ignore Alice's outcome and only check that Bob's system could have 
been generated locally, i.e., is independent from Alice's input (and output). 

Definition 6.1 (Stand-alone blindness). A DQC protocol provides stand-alone 
e-blindness, if, for all adversarial behaviors {Fiji, there exists a CPTP map 
T : C(Hb) -> C(H B ) such that 

tr A oVab ~ e J 7 ° tivt, (10) 

where o is the composition of maps, and Tab '■ C{Hab) — ^ £(Hab) is the map 
corresponding to a protocol run with Alice behaving honestly and Bob using his 
cheating operations 

Likewise, stand-alone verifiability can also be seen as a simplification of 
blind verifiability, in which we ignore Bob's system and only check that Alice 
holds either the correct outcome or an error flag |crr), which by construction is 
orthogonal to any possible valid output. In the following we define verifiability 
only for the case where Bob's system is not entangled to Alice's input, since 
otherwise the correct outcome depends on Bob's actions, and cannot be modeled 
by describing Alice's system alonj^l. 

Definition 6.2 (Stand-alone verifiability). A DQC protocol provides stand- 
alone e- verifiability, if, for all adversarial behaviors {J~i}i and all initial states 
fpARt ® fpR 2 B, there exists a < < 1 such that 

p\ Ri ^ e p^{U®id Rl )^A Rl ) + (l-p*)|errXerr| ®if, Rl , (11) 

where p\ Rl is the final state of Alice and the first part of the reference system. 

15 The re sulting defi nition is equivalent to that of IFK12I and stand-alone authentication 
definitions lBCG+02] , which bound the probability of projecting the outcome on the space of 
invalid results. 



24 



As mentioned in IScction Tl stand-alone blindness and stand-alone verifia- 
bility together are strictly weaker than composable blindness and verifiability. 
This seems to be because the verification procedure can depend on the input 
(as in the example from IScction 1.1[> . and thus if Bob learns the result of this 
measurement, he learns something about the input. This motivates us to define 
a stronger notion, in which Alice's measurement is independent of her input. To 
do this, we divide Alice's internal system in two subsystems A and A, such that 
A contains Alice's output, and A is the register that she measures to decide if 
the output is correct, i.e., she applies some projection {Pf t ,Pj[ T }, and condi- 
tioned on the outcome, either outputs A or deletes A and outputs |err). The 
notion of verifiability is strengthened by additionally requiring that leaking this 
system A to the adversary does not provide him with more information about 
the input, i.e., Bob could (using alternative maps) generate the system A on his 
own. 

Before writing up the definition, we need to introduce some extra notation. 
Let the state of the system just before Alice's final measurement be given by 
^icb, and define 



AABR 

pqk tf p< 



ok ._ pqk V pqk 

AABR •- A t AABR A 



j^err — P c - m ' w ^ _ P c - Tr 
VAABR ■- A r AABR A 

&AABR : ~ ^AABR + &AABR: U^) 

The final state of the system after Alice generates the error flag is then 

Pabr = ^a(Kabr) + KXcrrl ® tr AA (^ ABB ). (13) 

Definition 6.3. A DQC protocol provides stand-alone e-independent e-verifi- 
ability, if, in addition to providing stand-alone e-verifiability, for all adversar- 
ial behaviors {J 7 ; : C(Hcb) — > £(McB)}i there exist alternative maps {F[ : 
C(H C § B ) — > £{T-LcBB)}i (f° r an initially empty system B), such that 

tr A oQaab ~e tT AA °Q'aAbb> ( 14 ) 

where o is the composition of maps, and Q a Ab '■ £(7~Lab) ^ ^-(J^aAb) an d 
Q' AA g B ■ £{T~Lab) — > £{T~L a abb) are the maps corresponding to runs of the two 
protocols until Alice generates and measures the register A with the accept / 



reject bit (Eq. (12) I, but before generating the final outcome (Eq. (13) ). 



Remark 6.4. By the triangle inequality, if a protocol provides both stand-alone 
e-blindness and stand-alone e-independent e'-verifiability, then there exists a 
map T' : C(Hb) — > ^CH-ab) sucn tnat 

tr A °QaAB ~e+s J 7 ' ° tl'A • (15) 



6.2 Composability from stand-alone security 

We first show in ILemma 6.61 that in the special case of initial states which are 
not entangled between Alice and Bob's systems (e.g., the input is classical), 
stand-alone blindess and independent verifiability are sufficient to achieve blind 
verifiability, i.e., composable security. In IThcorcm 6.71 we then generalize this 
to any initial state. 



25 



Remark 6.5. The two proofs in this section only hold for DQC protocols that 
implement unitary transformations. This is however the case of the universal 
computation of jBF K09, MF12, FK12j . which, by appending the classical part 
of the input to the output, implement a unitary transformation on a classical- 
quantum system. 



Lemma 6.6. If a DQC protocol implementing a unitary transformation pro- 
vides stand-alone Shi-blindness and stand-alone e ^-independent e ver -verifiabil- 
ity for any pure initial state of the form tp A R 1 ® 1 Pr 2 b j then the protocol provides 



stand-alone S-blind verifiability with 8 = 2y / 2e ver + em + Eind- 

Proof. In this proof, we use several times the following simple equality. For two 
states p = |0)(0| <g> p + |1)(1| ® p\ and a = |0)(0| <g> a Q + |1)(1| ® 01, we have 



D(p,a) = D(p ,a ) + D(p 1 ,a 1 ). (16) 
In lRcmark 6. 41 we combined the conditions of blindness and the independence 



of the verifiability mechanism into one new formula, Eq. (15) It is thus sufficient 



to prove that if Eq. (15) and Eq. (11) are satisfied for any pure product initial 
state ipAR! ® i>R 2 B, then we have blind verifiability, i.e., 



Par 1 r 2 b ~<5 (U <8> idfl li?2 ®.F ok ) (tp ARl <8 i(jr 2 b) 



+ |errXerr| ® ^j Rl ® (id R2 O^XV^s): (17) 



for some J-" ok and F c " . 

Since |err) is orthogonal to any valid output, both the RHS of Eq. (17) and 
LHS (given in Eq. (13) I are a linear combination of orthogonal states on the 
same subspaces. And thus by Eq. (16) to show that Eq. (17) holds for some 8, 
it is sufficient to find maps J- ok and J 701 ' 1 , and Si and 82 with 8% + 82 = 8, such 
that 



t >°AR 1 R 2 B ~Si ( u ' 



ICIY ^ 

"RiB ~S 2 



(id; 



id_R!_R 2 



F ){i>A Rl ®4>R 2 B), 
){tpR 2 B)- 



(18) 
(19) 



Let T' : C(Hb) — > £(H-ab) be the map guaranteed to exist by the com- 



bination of blindness and independent verifiability (Eq. (15)), and let and 



V™ T be the maps corresponding to the projections performed by the protocol 
on system A to detect if Bob was dishonest. We define 



770k 

•f B 
77CIT 



Note that w.l.o.g., we can take T' to generate a linear combination of two 
orthogonal states, one in the subspace and one in the V c " ■ Thus, applying 
Eq. (14) to the initial state 4>AR t ® 4>R 2 b and using Eq. (16) [ we find that there 
exist e\ and E2 with e\ + £2 = £ind + £bi such that 



4>°R 2 B « 61 (}&R 2 ®F£){4>R 2 B), 



-orr 
P R 2 B 



-2 ( id fl 2 ®F\ 



{^R 2 B) 

){i } R 2 B) 



(20) 
(21) 



Note that Eq. (21) is exactly one of the conditions we need to find, namely 



Eq. (19) We now still need to bound Eq. (18) 



26 



We take the definition of vcrifiability, Eq. (11) again, both the RHS and 



LHS (defined in Eq. (13) ) are linear combinations of orthogonal states on the 



same subspaces, hence there exist e\ and £2 with £1 + £2 = £ V cr, such that 

A «=i (W ® ^ ) (^AJfc ) , (22) 
tr(0M«=,l-P*- (23) 



From |Eq. (23)| we have that tr^^J = 1 - tr(<$£ B ) w E - 2 p^. The gener al- 



is 



ized trace distance (see |Appcndix A[ ) between the two states from Eq. (22) 
thus bounded by D(^>°^ R , p^U {i^aRx )) < £1 + £2 = £vcr- From ILemma A. ll 
we can upper bound the purified distance with the generalized trace distance, 
and get P(^4>^ R jP^U^ar!)) < y/2e vcr . We can now apply Uhlmann's theo- 
rem to the purified distance (see ILemma A.2[) and find that since U (ipARi ) is 
a pure state, there exists a (Jr 2 b such that P{4' ar 1 r 2 BtP^^{' > 1'ar 1 ) ® 0\r 2 b) = 



P{ ( I )0 ar 1 tP^^{' i I ) ar 1 )) ■ Hence bv lLemma A. 11 the triangle inequality, and Eq. (20) 



D^ar^bM^ar,) ® ^(fes)) 

+ D^U^AR,)® <TRtBMW>ARi)® Ffii'RiB)) 

< V2^- + D(pK R2 b^°r 2 b) + D(K 2 b^£(^r 2 b)) 

< 2V2i^ + £i. 

Combining this with our bound for |Eq. (19) | we prove the lemma. □ 



In the following theorem we consider the case of an initial state arbitrarily 
entangled between Alice and Bob. We reduce this case to the separable state 
case treated in ILemma 6.6l with an increase of the error by a factor of (dim 'Ha) 2 - 

Theorem 6.7. If a DQC protocol implementing a unitary transformation pro- 
vides stand-alone en-blindness and stand-alone 6i n d-independent e ver -verifiabil- 
ity, then it provides stand-alone S-blind verifiability with S = N 2 (2^/2s ver + Em + 
£ind), for N = dim "Ha- 

Proof. For n = log dim % a and an initial state ipABR we define the state 
^qabrs ■= l$ + X* + lSl ® VW. where l* + > = (100) + |H))/V2 is an EPR 
pair and ip'sRS = ^bra- For any map Sab ■ C(Hab) — > £{T~Lab) we have 



SaB^ABr) = 2 2 "tr QS (|$+)($ + QSaB^'qaBRS^W 



QS 



The projection on |$ + )($ + |q£ can be seen as a teleportation of the system S 
into A with a post-selection on the branch where no bit or phase corrections are 
necessary. 

Let Qab ■ J0.(Hab) — > £{T~Lab) be the map corresponding to a run of the 
protocol with Alice behaving honestly and Bob using his cheating strategy. Fur- 
thermore, let P' : C(Hb) — > £>{Hab) be the map guaranteed to exist by the 



combination of blindness and independent verifiability (Eq. (15) I, and let 



and V^' 1 be the maps corresponding to the projections performed by the proto- 



27 



col on system A to detect if Bob was dishonest. We define 

where U is the map implemented by the DQC protocol and £" deletes the 
contents of A and outputs the error flag |err). 
We then have for all ipABR, 

D(Qab(iPabr), TIab{^abr)) 

= 2^(tr QS (|^X^|^Q^(^ B ^)|* + X* + lS)' 

< 2 2n D(Q AB ^' QABRS ),TlAB(^ QA BRs))- 

Note that the state i/j'qabrs ^ s m product form w.r.t. the systems QA and 
BRS. This allows us to apply [Lemma 6.1j1 from which we get 

D(Qab(iPqabRs)^Ab(^q A BRs)) < 2v^£ V er + £bl + £i„d- □ 

This proof assumes that the entire subsystem A of the initial state ip is 
quantum. If part of A is classical, the proof can be trivially modified by leaving 
this classical part in the A subsystem of ip 1 , and only teleporting the quantum 
part of the state from 5* to A. This effectively reduces the factor (dim "Ha) 2 to 
the quantum part of A. 

Acknowledgments 

VD is supported by the EPSRC Doctoral Prize Fellowship. Initial part of 
this work was performed while VD was at Heriot-Watt University, Edinburgh, 
supported by EPSRC (grant EP/E059600/I). JF acknowledges support from 
the National Research Foundation and Ministry of Education, Singapore. CP 
and RR are supported by the Swiss National Science Foundation (via grant 
No. 200020-135048 and the National Centre of Competence in Research 'Quan- 
tum Science and Technology'), and the European Research Council - ERC 
(grant no. 258932). 

Appendices 

A Distance measures for subnormalized states 

In lScction 3.11 we introduced the trace distance D(p,a) between two quantum 
states. Another widely used measure is the fidelity, defined as 

F(p,a) :=tr(V 'p^ap 1 /^. 



28 



When dealing with subnormalized states, we need to generalize these mea- 
sures to retain their properties. The following distance notions are treated in 
detail in [ TCR10] . and we refer to that work for more information. 

For any two subnormalized states p, a £ 5<("H), we define the generalized 
trace distance as 

D{p,a) :=D(p,(r) + -\txp-tra\, 

and the generalized fidelity as 

F{p, a) := F(p, a) + y/(l - tr p)(l - tr a). 

The (generalized) fidelity has a useful property, known as Uhlmann's theo- 
rem (see [NCOO or lLcmma A.2l here below), which states that for any two states 
p, a, there exist purifications of these states which have the same fidelity. We 
define a metric, the purified distance, based on the fidelity, so as to retain this 
property: 

P(p,a) := y/l-F*(p,cT). 

This metric coincides with the generalized distance for pure states, and is 
larger otherwise. 

Lemma A.l (See jTCRlOl Lemma 6]). Let p,a e S<{H). Then 

D(p,<x)<P(p,a) < ^2D{p,a). 
Uhlmann's theorem restated for the purified distance is as follows. 

Lemma A.2 (See |TCR1Q[ Lemma 8]). Let p 7 a £ S<{H A ) and <p E S<{Uar) 
be a purification of p. Then there exists a purification ip 6 S<(Har) of a such 
that P(p,a) = P(tp,ip). 

B Stand-alone and composable correctness 

A protocol provides stand-alone correctness if, when Bob behaves honestly, Al- 
ice ends up with the correct output. This must also hold with respect to a 
purification of the input. 

Definition B.l. A DQC protocol provides stand-alone e-correctness, if, when 
both parties behave honestly, for all initial states ipAR, the final state of Alice's 
system and the reference system p\ R is 

pta^e (U®id R )(ip AR ). (24) 

It is straightforward, that this also implies composable correctness, as defined 
in Eqs. [pj] and [gj] in ISection 3.31 

Lemma B.2. A DQC protocol which provides stand-alone e-correctness is also 
composably e-correct. 

Proof. The resources 'ka'^b and SJ-s have only one input and output, both 
on the A-interface. By IDcfmition B.U for any initial state ijjAR, the output 
of ttaRttb is £-close to (U <g> idB.)(if>AR), whereas the output of S_L_b is exactly 
(U ® 'v\r){^ar)- So the two resources are e-close. □ 



29 



References 



[ABE10] 
[AFK87] 

[AS06] 
[AVI 2] 
[BCG+02] 

[BFK09] 



D. Aharonov, M. Bcn-Or, and E. Eban. Interactive proofs for quan- 
tum computations. In Proceedings of Innovations in Computer Sci- 
ence 2010, page 453, 2010. [axXiv:0810.5375) . 

M. Abadi, J. Feigenbaum, and J. Kilian. On hiding information from 
an oracle. In Proceedings of the nineteenth annual ACM symposium 
on Theory of comp uting, STOC '87, pages 19 5-203, New York, NY, 
USA, 1987. ACM. jdoi:10.1145/28395.28417| . 

P. Arrighi and L. Salvail. Blind quantum computation. In- 
ternational Journal of Quantum Information, 4:883-898, 2006. 
arXiv:quant-ph/0309152] . 



Dorit Aharonov and Umesh Vazirani. Is Quantum Mechanics Falsifi- 
ablc? A computational perspective on the foundations of Quantum 
Mechanics. June 2012. f arXiv:1206.3686) . 

Howard Barnum, Claude Crepeau, Daniel Gottesman, Adam Smith, 
and Alain Tapp. Authentication of quantum messages. In Proceed- 
ings of the 43rd symposium on foundations of computer Science, 
FOCS '02, pages 449-458. IEEE, 2002. 



arXiv:quant-ph/0205128 . 



Anne Broadbent, Joseph Fitzsimons, and Elham Kashcfi. Univer- 
sal blind quantum computation. In Proceedings of the 50th sympo- 
sium on foundations of computer science, FOCS '09, pages 517-526. 



IEEE Computer Society, 2009. doi:10.1109/FOCS. 2009.36 . 



[BKB+12] Stcfanic Barz, Elham Kashcfi, Anne Broadbent, Joseph F. Fitzsi- 
mons, Anton Zeilinger, and Philip Walther. Demonstration of Blind 
Quantum Computing. Science, 335(6066):303-308, January 2012. 
doi:10.1126/science.l214707] . 



[BOM04] 
[BPW04] 

[CanOl] 

[Can05] 



Michael Ben-Or and Dominic Mayers. General security definition 
and composability for quantum & classical protocols, eprint, 2004. 
[arXiv:quant-ph/0409062] . 

Michael Backes, Birgit Pfitzmann, and Michael Waidner. A general 
composition theorem for secure reactive systems. In Proceedings 
of the First Theory of Cryptography Conference, TCC '04, pages 
336-354. Springer, 2004. |doi:10.1007/978-3 540-24638-l_L9| . 

Ran Canetti. Universally composable security: A new paradigm 
for cryptographic protocols. In Proceedings of the 42nd Symposium 
on Foundations of Computer Science, FOCS '01, page 136. IEEE, 
2001. 

Ran Canetti. Universally composable security: A new paradigm 
for cryptographic protocols. Updated version of [CanOlj . 2005. 
IACR e-print: 2000/067|. 



30 



[CDP09] 

[Chi05] 
[Deu85] 

[DK06] 

[DKL12] 

[DKP07] 

[Fey82] 

[FK12] 
[Gen09] 



Giulio Chiribella, Giacomo Mauro D'Ariano, and Paolo Perinotti. 
Theoretical framework for quantum networks. Phys. Rev. 
A, 80:022339, Aug 2009. [doi:10.1103/PhysRevA.80.022339| 
larXiv:0904.4483j . 

Andrew M. Childs. Secure assisted quantum computa- 
tion. Quantum Info. Compute 5(6):456-466, September 2005. 



arXiv:quant-ph/0111046 . 



David Deutsch. Quantum Theory, the Church- Turing Principle 
and the Universal Quantum Computer. Proceedings of the Royal 
Society of London. Series A, Mathematical and Physical Sciences, 
400(1818):97-117, 1985. [doi:10.2307/2397601| . 

Vincent Danos and Elham Kashefi. Determinism in the 
one-way model. Phys. Rev. A, 74(5):052310, Nov 2006. 



doi:10.1103/PhysRcvA.74.052310 . 



Vcdran Dunjko, Elham Kashefi, and Anthony Leverrier. Blind 
quantum computing with weak coherent pulses. Phys. Rev. Lett., 
108:200502, May 2012. |doi:10.1103/PhysRevLett.l08.20050"2| . 

Vincent Danos, Elham Kashefi, and Prakash Panangaden. 
The measurement calculus. J. ACM, 54(2), April 2007. 



doi:10. 1145/1219092. 1219096 . 



Richard P. Feynman. Simulating physics with computers. Inter- 
national Journal of Theoretical Physics, 21(6):467-488, June 1982. 
[doi:10.1007/BF02650179l . 

Joseph Fitzsimons and Elham Kashefi. Unconditionally verifiable 
blind computation, eprint, 2012. |arXiv:1203lm7] . 

Craig Gentry. Fully homomorphic encryption using ideal lattices. 
In Proceedings of the 41st annual ACM symposium on Theory of 
comput ing, STOC '09, pages 169-17 8, New York, NY, USA, 2009. 
ACM. 



doi:10.1145/1536414.1536440 . 



[HMQU06] Dennis Hofheinz, Jorn Miiller-Quade, and Dominique Unruh. On 
the (im)possibility of extending coin toss. In Advances in Cryp- 
tology, Proceedings of EUROCRYPT '06, volume 4004 of Lec- 
ture Notes in Computer Science, pages 504-521. Springer, 2006. 
IACR e-print: 2006/177] . 



[Mau02] 



[Maull] 



Ueli Maurer. Indistinguishability of random systems. In Lars 
Knudsen, editor, Advances in Cryptology, Proceedings of EURO- 
CRYPT '02, volume 2332 of Lecture Notes in Computer Science, 



pages 110-132. Springer, May 2002. [doi:10. 1007/3-540-46035-7JS . 



Ueli Maurer. Constructive cryptography — a new paradigm for 
security definitions and proofs. In Proceedings of Theory of Secu- 
rity and Applications, TOSCA 2011, pages 33-56. Springer, 2011. 



doi: 10. 1007/978-3-642-27375-9^3 . 



31 



[MDK11] 
[MF12] 

[Morl2] 

[MPR07] 



[MRU] 
[MS10] 

[NCOO] 
[PWOO] 

[RAD78] 

[RB01] 

[TCRIO] 

[Unr04] 
[UnrlOl 



T. Morimae, V. Dunjko, and E. Kashefi. Ground state blind quan- 
tum computation on aklt state, eprint, 2011. arXiv: 1009.3486 . 

Tomoyuki Morimae and Keisukc Fujii. Blind quantum com- 
putation for alicc who does only measurements, eprint, 2012. 
[arXiv:1201.3M6] . 

Tomoyuki Morimae. Continuous-variable blind quantum 
computation. Phys. Rev. Lett. 109:230502, Dec 2012. 
[doi:10.1103/PhysRevLett.l09.23050"2] . 

Ueli Maurer, Krzysztof Pietrzak, and Renato Renner. Indistin- 
guishability amplification. In Alfred Menezes, editor, Proceed- 
ings of the 27th Annual International Cryptology Conference on 
Advances in Cryptology, CRYPTO '07, volume 4622 of Lecture 
Notes in Computer Science, pages 130-149. Springer, August 2007. 



doi:10. 1007/978-3-540- 74143-5JS 



Ueli Maurer and Renato Renner. Abstract cryptography. In Pro- 
ceedings of Innovations in Computer Science, ICS 2010, pages 1-21. 
Tsinghua University Press, 2011. 

Michclc Mosca and Douglas Stcbila. Quantum coins. In Error- 
Correcting Codes, Finite Geometries and Cryptography. Contempo- 
rary Mathematics, volume 523, pages 35-47. American Mathemati- 
cal Society, 2010. |arXiv:0911.1295] . 

Michael A. Nielsen and Isaac L. Chuang. Quantum Computation 
and Quantum Information. Cambridge University Press, 2000. 

Birgit Pfitzmann and Michael Waidner. Composition and integrity 
preservation of secure reactive systems. In Proceedings of the 
7th ACM Conference on Computer and Communications Security, 



CSS '00, pages 245-254. ACM, 2000. doi:10. 1145/352600.352639 . 



R. Rivest, L. Adleman, and M. Dertouzos. On data banks and 
privacy homomorphisms. In Foundations of Secure Computation, 
pages 169-177. Academic Press, 1978. 

Robert Rausscndorf and Hans J. Briegel. A one-way quan- 
tum computer. Phys. Rev. Lett, 86:5188-5191, May 2001. 



doi:10.1103/PhysRevLett.86.5188| . 



Marco Tomamichel, Roger Colbeck, and Renato Renner. 
Duality between smooth min- and max-entropies. IEEE 
Transactions on Information Theory, 56(9):4674-4681, 2010. 



doi:10.1109/TIT.2010.2054130 arXiv:0907.5238 . 



Dominique Unruh. Simulatable security for quantum protocols, 
eprint, 2004. |arXiv:quant-ph/0409125] . 

Dominique Unruh. Universally composable quantum multi- 
party computation. In Advances in Cryptology, Proceed- 
ings of EUROCRYPT '10, pa ges 486-505. Springer, 2010. 
|doi:10.1007/978-3-642-13190-5-25H ar Xiv:0910.2912) . 



32 



[Vaz07] U. Vazirani. Computational constraints on scientic theories: in- 
sights from quantum computing, 2007. |http : //www . cs . caltechT 
|edu/schulman/Workshops/CS-Lens-2/cs-lens-2 .html[ 

[Wat08] John Watrous. Theory of quantum information, 2008. Lecture 
Notes, |http : //www . cs . uwaterloo . ca/~watrous/quant-inf o/[ 



33 



